Tag Archives: privacy law

A German credit agency in is planning to analyse the creditworthiness of individuals by using information gathered from online sources such as Facebook and other social networking sites.

Schufa, Germany’s largest credit agency intends to assess peoples ability to make repayments by using “crawling techniques,” such as those used by Google, for the purpose of “identifying and assessing the prospects and threats.” A spokesman for Schufa told Spiegel Online that “everything is happening within the legal frameworks in Germany.”

Nevertheless, the proposal raises serious concerns over assessing a person’s reputation from information found on the web. Schufa is planning to analyse automatically recorded information on the Internet such as on social networks, and this can then be linked to the stored data gathered by the credit agency. Although Facebook pointed out that according to its terms and conditions, automatic registration of members was actually not permissible.

For a country with some of the strictest privacy laws in Europe, it is no surprise that the proposal has come under a strong criticism. Analysing data related to personal relationships which can be found on Facebook and Twitter in order to judge a persons creditworthiness is a severe invasion of privacy.

Since the German broadcaster NDR reported on the research project last Thursday there has been a public outcry. Numerous privacy advocates and politicians have strongly criticised the proposal.

Sabine Leutheusser-Schnarrenberger, the German Justice Minister, was quick to condemn the credit agency’s plans. She told the Spiegel that Facebook “friends and preferences” should not prevent an individual from, for example, being able to obtain a mobile phone contract. Leutheusser-Schnarrenberger stated “Schufa and other credit agencies should disclose their full intentions of using Facebook data to check creditworthiness.” She said that the data used to determine someone’s credit report is already controversial and called for the process to be made “fully transparent.”

On Thursday, the Justice Minister was joined by Consumer Protection Minister Ilse Aigner in warning Schufa and HPI about tracing individuals on social networks, and requested further information on the research plans. Rainer Brüderle a parliamentary member of the Free Democrats (FDP) stated that “Schufa’s plans go too far…social networks, like a circle of friends, are part of a person’s private life, and should therefore not be tapped.”

However, the Hasso Plattner Institute (HPI) which was to be commissioned by Schufa to develop a proposal for the project, has now pulled out due to mounting criticism from politicians and privacy advocates. The privately-funded information technology institute was going to explore the extent to which information from the Internet can help in evaluating the creditworthiness of individuals. HPI announced that it has withdrawn from the contract with Schufa.

In a statement, the institute claimed there had been some “misconceptions” by the general public about their research approach. HPI Director Christoph Meinel stated that the project could no longer be carried out with the ease and in the “unburdened” conditions necessary.

The move by HPI, a clear blow for Schufa, has been welcomed by critics of the proposal, but it is unclear whether the credit agency intends to pursue the project regardless. The proposal could be hugely damaging to the privacy of individuals, linking their private relationships and their online reputation to their creditworthiness seems hugely invasive. Schufa’s plans could have detrimental effects on a person’s everyday life and further highlight the dangers of disclosing personal information on the internet. It is unclear whether Germany, a country with some of the most sophisticated privacy laws in the world would be able to justify such actions in accordance with its legal framework.

While the appalling behaviour of Twitter users in the Ched Evans case has caused an uproar in the UK, there is a contrary case taking place in Germany. The recent social media use in the UK saw a rape victim being named on Twitter, whereas the German case involved a woman naming a man who had been harassing her by sending her sexually explicit messages. Ariane Friedrich an olympic high jumper who trained as a police officer, posted the name and location of the man who had been sending her the messages on Facebook. This has caused a huge discussion in Germany, where privacy laws are known to be particularly stringent.

The man allegedly sent her images of his genitals with the sexually explicit/suggestive message stating that he had “just showered and shaved”. Ms Friedrich became enraged and posted his name and location on Facebook, adding that she will be filing a complaint with the police shortly.

Since she posted the message 2200 people have clicked the “like” button under the post along with 400 comments. In a later post Ms Friedrich explained that she has “carefully read” through both supportive and critical comments. She added that “of course it had been a big step to make such a vulgar e-mail public”, but she said that this is not the first time she has been insulted and sexually harassed. She also stated that she had previously had a stalker. She claimed that she now felt it was time for her to act and to defend herself, even this posting sparked a huge reaction leading to a further 1100 comments. While some argue that her behaviour was completely justifiable, others claim that her self-administered justice amounts to an erosion of the law.

Her liability would depend on whether her claims are genuine or not and whether the named man actually sent those messages. If her assertion is proven to be true, then she will not be liable for defamation or libel. However if this is not the case, the situation could become more complex. In a well known German tabloid, the man (described in the German media as ‘a man with the same name as the alleged author to the messages’) claimed he had been hacked and has closed his Facebook account as a result. However it is probably unlikely that a judge would make the assumption that Ms Friedrich is accusing an innocent person. Therefore seems unlikely that she will be charged in relation to defamation. However she could be liable under civil law as she breached his right to privacy by making his personal details public. If the named man went to court over the issue he could possibly win in a civil claim, if the circumstances surrounding the publication of his details had sufficient gravity.

While the Friedrich case is very different to the Ched Evans/Twitter case, one case infringing the victims privacy while the other concerns the alleged perpetrator. Germany has much stricter privacy law than the UK, mainstream media are much more restricted than in the UK. Naming a rape victim, when they should have anonymity for life raises serious concerns about protecting victims. The contrast between these two cases highlights different aspects of privacy law and the ethical minefield surrounding social media.

Yesterday I attended the Scrambling for Safety conference at the LSE. I was really impressed by the wide range of speakers, from the leader of human rights group Liberty Shami Chakrabarti to the Conservative MP David Davis. Finally a real discussion featuring voices from a wide range of political and ideological affiliations, although noting the absence of any Labour politicians. It was a bit less exciting when I realised they all seemed to agree…

The members of the panel talked about the importance of privacy and the negative implications of the invasion of privacy. They also agreed, particularly Julian Huppert and David Davis MP, that politicians generally do not have a clue and often take advice from civil servants and security officials as fact. They often seem to rely on information without attempting to validate or research it themselves, probably due to the volume of information that relates to many issues. But what I really wanted to know was how much would it cost? Is it even viable or productive? Would it in any way benefit the general public in a way that would justify such an invasion of privacy? If not, why on earth was this happening? If stronger policies on surveillance are indeed necessary what are the alternatives?

Some light was shed on these questions in the second panel, who could not identify any real benefit of swamping the police with massive amounts of data and the chaos which would ensue as a result. Data gathering on such a large scale does not seem to make sense at all. If the government’s plans to combat serious crime and terrorism with these measures, this shows a clear lack of foresight. The panel emphasized that gathering data in this way would only catch very basic internet users, as there are so many ways to hide the data being picked up, such as using encrypted pages. Monitoring basic internet use, when more advanced users (you don’t need to be very advanced to use dropbox for example) know a way around it, would encourage a culture of “underground internet use”. This would only complicate things for the police/security services. It is also a waste of money and resources to invest in a policy that is fundamentally ineffective and extremely invasive of basic rights and freedoms. The costs are therefore certainly not outweighed by the benefits, which seem negligible if there even are any.

Whitfield Diffie, somewhat of a celebrity in the tech world, so I was told, addressed the issue of privacy of search terms such as e.g. divorce lawyers or cancer clinics which may be largely indicative of your private life. By accessing an individual’s search data the government would be enforcing a huge invasion of privacy, but it would also be largely counter productive and irrelevant to the police regarding surveillance matters.

A retired police officer in the audience stated that it appears the government are seeking to implement preemptive measures. Such data is often unusable and overwhelming to the police force because of the sheer volume. Analysing such data is complex and time consuming and thus provides little value in many investigations which need to be carried out swiftly. He gave the example of the recent shootings in Tolouse – France, where police had access to 500 intercepted email messages which provided a lead to the suspect. However the manpower to analyse and identify suspects in pressing operations will not always be available in relation to processing data. The police may not have enough people assigned to a particular case to be able to go through all the available data.

The conference was wrapped up by Nick Pickles from Big Brother Watch, who ended the day with a quote from David Cameron criticising Labour’s policies on surveillance. He pointed out that the coalition government must keep their word, something I fully agree with. He then added that he was standing for the Conservatives in the next election, making his short speech seem a little more like a self interested campaign. However the fact that the organisers were from a wide variety of civil society organisations allowed a broad discussion on an issue that affects everyone regardless of their political affiliation.

The main arguments made at the conference, appeared to be that the proposal is not only a gross invasion of fundamental rights and freedoms in both national and European law, but that it is also both costly and ineffective. The plan seems to be based on a misinformed and misguided policy relating to security, which doesn’t seem to provide any benefit to government, the police or national security. While this issue could have huge negative consequences it is still barely understood by either government or the public.

Shami Chakrabarti used the quote “they say the innocent have nothing to hide – but they do have something to protect”. At present there is little legislation relating to privacy law in the UK and Article 8 of the European Convention on Human Rights (ECHR) – the right to a private and family life, is often loosely applied. The Scrambling for Safety conference highlighted the fact that even current law on communications remains highly contentious. The proposed casual and constant invasion of privacy is not in the public interest, neither in terms of security nor cost. The proposal is unrealistic and inappropriate, what is really needed in the UK are stronger privacy laws/rights to protect our freedom and to fully integrate and apply Article 8 of the ECHR in national law.